A report has been released detailing an issue that the reporter is naming "Grinch". This report incorrectly classifies expected behavior as a security issue.
The PackageKit console client (pkcon) is a utility which allows users in the
wheel group, also known as local administrators, to install packages. This utility allows local administrators to install packages without a password if they are a "local user", meaning they are using the physical keyboard attached to the computer. If you are a user who does not have a physical console (such as a remote users connected via SSH), you must supply authentication credentials to install packages.
This behavior is controlled in Red Hat Enterprise Linux 7 via the
/usr/share/polkit-1/rules.d/org.freedesktop.packagekit.rules file which mandates that installation of packages can only be done, without authentication credentials, if the user is local. On Red Hat Enterprise Linux 6, you must authenticate (even when working locally) to install packages. Previous versions of Red Hat Enterprise Linux (version 5 and earlier) do not use or provide PackageKit.
Red Hat does not consider this to be a security issue or even a bug. This is the expected behavior of the PackageKit console client.